The best security program is at the business with the happiest customers.
Twelve Word Tuesday: Measuring Security Program Effectiveness
October 28th, 2008 · 15 Comments
Tags: Uncategorized
-
Who's Blogging (most recent blogs first)
- Andrea DiMaio
- Kristin Moyer
- Debbie Wilson
- Mark McDonald
- Nick Jones
- Robert DeSisto
- David McCoy
- Andrew White
- Jim Sinur
- Allen Weiner
- Wes Rishel
- John Pescatore
- Jim Holincheck
- Earl Perkins
- Anthony Bradley
- Lydia Leong
- Brian Prentice
- Michael Blechar
- Tom Austin
- Michael Maoz
- Thomas Otter
- Roberta Witty
- Mike McGuire
- Mark Driver
- Jeffrey Mann
- Thomas Bittman
- Mark Raskino
- Brian Gammage
- Adam Hils
- Neil MacDonald
- French Caldwell
- Andrew Frank
- Scott Nelson
- Cameron Haight
- Carol Rozwell
- Phillip Redman
- Greg Young
- David M Smith
- Richard Fouts
- Donna Fitzgerald
- Anne Lapkin
- Tole Hart
- Frank Kenney
- Dan Sholler
- Val Sribar
- Eric Knipp
- Frank Ridder
- Jeff Roster
- Benoit Lheureux
- Ray Valdes
- Michael Hanford
- David Cappuccio
- David Norton
- Kathy Harris
- Gene Alvarez
- Nick Gall
- Bruce Robertson
- Van Baker
- Daryl Plummer
- Jim Lundy
- Toby Bell
- Martin Reynolds
- Business Continuity
- Whit Andrews
- Eric Goodness
- Donald Feinberg
- Debra Logan
- Dwight Klappich
- Brian Burke
- David Cearley
- Gene Phifer
- Steve Prentice
- Andreas Bitterer
- Tom Murphy
- Nikos Drakos
-
Recent Posts
- Is Google Android The Same “Most Secure Operating System” That Windows XP Was Supposed to Be?
- Twelve Word Tuesday: Openess Good, Newness Bad
- The Security Risks of Consumerization Hit Home for US Congress
- The Business of Automating Security Content
- Twelve Word Tuesday: Northwestern Pilots Highlight the Myth of the Responsible User
Categories
Tags
Archives
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.
© 2009 Gartner, Inc and/or its affiliates. All rights reserved.
15 responses so far ↓
1 Jabber // Oct 29, 2008 at 10:00 am
hmmm… don’t they say ignorance is bliss also?
2 Betsy Nichols // Oct 29, 2008 at 10:29 am
This is a nice sound bite but it suffers from over simplification, IMHO.
In the spirit of terseness (which I love about this blog) let me just cite one reasonably well-regarded model, namely the balanced scorecard. It includes three other perspectives besides the customer perspective for a good reason.
3 Jeffrey Gorton // Oct 29, 2008 at 10:55 am
True. Especially if one realizes that “happiness” comes from the utility of a thing — utility meaning that one derives more pleasure or value than harm from its use.
4 John Pescatore // Oct 29, 2008 at 11:28 am
Staying within the twelve word construct pretty much dictates sound bites, but here’s my thinking behind this:
Over the long term, the most successful businesses are the ones that listen to their customers and provide products and services that their customers can depend on. There are lots of different products and services, lots of different reasons why people buy and what utility they get – it is definitely not one size fits all.
Kaplan and Norton’s balanced scorecard approach for flowing top level management objectives and mission statements downwards in an organization added financial, internal business and innovation/learning perspectives to the customer perspective. That is certainly valid – but I think in security at least two of those three (financial and internal business process) have already been talked to death and are very commonly addressed by the ROSIs and ITILs of the world and the scads of dashboards out there.
I think the hardest and most valuable part is determining how much security is enough for your particular business – in particular, for your particular customers. That connection – how does a security decision or expenditure relate to some noticeable customer benefit – is the least addressed and the least understood.
This is not constant – it changes just as fast as your business environment changes. A great example is the pre-2001 Microsoft. It was popular and easy for us in security to trash the security of Microsoft’s products, but they had the happiest customers – they were streamrolling all the more secure products because the market conditions meant that security was not valued (this gets to the ignorance is bliss comment.) It took the vulnerability-seeking attacks of 2001 to cause Bill Gates to say “OK, security is an in-demand feature” and start the process to turn Microsoft around on security.
There are a lot of other examples of this. What I think is the real take away important issue is that there is a tendency for people in security to join the “Cult of the difficult problem” and treat security as some absolute – this must be done because it is on the security stone tablet that says so. There is a lot of talk in security about how convince the business that the stone tablet needs to be baked into to business systems but very, very little action in trying to understand what security is important for the success of the business – and if you believe that the long term (long term is key) success of the business is tied to happy customers, you get back to the twelve words.
As an aside, this is why we always say “Protect the customer, protect the business – then demonstrate compliance.” Compliance regimes are one size fits all and are definitely *not* aimed at happy, safe customers.
5 David Etue // Oct 29, 2008 at 2:44 pm
10 words: People still love TJ Maxx because Visa lost, not them.
And I don’t say that to necessarily disagree with John or want to pick on TJX because this could be anyone that has suffered a breach.
If people don’t care and/or change their actions, was security appropriate? I’d say no, but I can see a credible argument.
6 John Pescatore // Oct 29, 2008 at 3:03 pm
The banks have done studies that show significant customer defection when the bank is the source of an identity theft incident – the customers are unhappy enough to switch to another bank. That’s because a large part of the customer happiness has to do with trusting the bank to safeguard their money – the identify theft problems undermine that trust, the customers aren’t happy.
The customer happiness equation in retail is a different story (and the complex credit card liability spreading complicates is further) but even TJX changed a lot of their ways after the incident in an effort to deal with potentially unhappy customers – back to why I said above that “long term” is key. No airline’s passengers are happy after a plane crash but it takes the long term to determine if there is a customer-perceptible difference in safety across the airlines.
We all know that online services would be much safer if everyone was forced to used strong authentication yet consumers reject it and show that they will do less online consumption if they are forced to augment reusable passwords with tokens. Which is the better security program: the safer one that customers dislike and don’t use, or the riskier one that generates higher revenue?
7 Jeff Reava // Oct 29, 2008 at 3:37 pm
To the extent that bad security, whether inadequate or oppressive, frustrates customers – this statement is true. Probably will become even more so as user generated content blurs the line between customer and company.
I’d be tempted to try it this way:
The best security program minimizes cost: from incidents, implementation, and process impact.
8 Gunnar // Oct 29, 2008 at 3:40 pm
“Which is the better security program: the safer one that customers dislike and don’t use, or the riskier one that generates higher revenue?”
perfect question – Alan Greenspan’s customers loved his low interest rates and lack of regulation. And it worked great, until. Well…you know…
Props to you for putting customer focus into infosec, which we need, just saying that its not the only measure.
9 Mark Kadrich // Oct 29, 2008 at 7:44 pm
Ignorance is bliss.
Our experience indicates that the basic transactions themselves aren’t any more secure no mater what type of authentication a consumer uses. I say consumer versus customer since consumer more accurately describes the folks that use online banking. And consumers are quite happy to install a security tool on a rooted system. (It does seem like we’re talking about both kinds of users here since there is discussion of balanced score cards.)
Consumers generally become unhappy only after a change in state – their computer functions slower or they detect a fraudulent charge. (Even then only for a short period of time.) So I would say that although happiness can be important, it is by no means required when mandatory security functions are indicated, implemented, and enforced.
10 Dan Geer // Oct 30, 2008 at 8:39 am
Security is when there are no surprises remaining that can’t be handled.
11 John Pescatore // Oct 30, 2008 at 11:20 am
Surprises: the lack of surprises that can’t be handled essentially means the lack of change.
One of my favorite quotes is from Helen Keller: “Life is either a daring adventure or nothing at all. Security is mostly a superstition. It does not exist in nature.”
The other issue is human nature is to be surprised constantly – it is part of being a hopeful species. For many, many people April 15th is a surprise each year. A common conversation right now is “Wow – it is really getting dark early, now”….
12 Robert Graham // Nov 13, 2008 at 7:13 am
The best security program is one whose benefits outweigh its costs.
The fallacy of the cybersecurity industry is that security has no meaningful cost. We acknowledge it costs something, but we have no idea exactly how much because we spend all our time looking at the benefits.
Yes, a bank loses customers when customers suffer from hacking. But a bank also loses customers when it’s security makes it too hard to bank there.
Banks used to put bullet proof glass between the tellers and customers. However, customers found this unpleasant and took their business to more friendly banks. The costs of bullet proof glass, in terms of lost customers, exceeded its benefits, in terms of prevented robberies. Banks are now designed to be open and friendly to bank robbers.
The Microsoft Vista UAC. (I had an entire paragraph explaining why the example of UAC supports my point, then i realized an explanation is redundant).
13 John Pescatore // Nov 13, 2008 at 7:32 am
That just loops back to what are the benefits? The costs are very obvious – both the direct procurement and operations costs that are eating up 7% of the average IT budget, and the business disruption costs that are constantly complained about by the business side.
14 Follow-up Friday: Cost vs. Value of Security // Nov 21, 2008 at 9:03 am
[...] had a fun bloggie style discussion on measuring the value of security programs a while back. All attempts to do so always run into problems measuring the cost or the benefits. Everyone [...]
15 Is Security an Enabler or an Obstacle to Happy Customers? // Aug 14, 2009 at 7:31 am
[...] year, in a Twelve Word Tuesday post I said “The best security program is at the business with the happiest customers.“ Security and creativity are not antonyms – keeping your customer data safe and your [...]
Leave a Comment